Published: 22 September 2014
I’ve been watching the huge amount of news articles, TV footage and forums regarding the recent celebrity hacking scandal, with something akin to amusement.
“God damn 500k+ views on this one thread in less than a day” – anon poster
Hundreds of guys are downloading the images, others saying why bother there is better free porn on the internet. Some women comparing said guys to paedophiles, molester’s and rapists and others posting naked pictures of themselves in support of the celebrities. Apple saying iCloud is perfectly safe and the huge media interest it has garnered makes it a sordid spectacle to behold. I think the Romans would be proud of the show.
Most people tend to use at least one of the main file storage systems Dropbox, Google drive, iCloud etc. Personally I’ve used Dropbox for umpteen years mainly because I know that the files are transmitted securely using SSL with AES-256 bit encryption. They have also been around longer than all the others so perhaps that gives them a certain edge. None of their staff are allowed to root through the contents of what you’re storing short of a court order.
Do I store stuff in it that would be damaging if it ended up in the public domain? It depends on your definition of damaging. It does contain legal documents, personal code projects (i.e. not Sagittarius) among other things. I would be more upset if I lost the files than if they were accessed by somebody else. There isn’t anything in there that couldn’t be fixed by changing a few passwords.
In some reality were I was a bronzed, ripped, coding god would I store person pics of myself on Dropbox or anything else? No because I’m not naive enough to thing for one minute any online storage system is 100% safe.
But it does make you look at your own setup and think “you know what, if this was hacked what’s the fallout?” So if I was you and you use any of the above systems I would look over it and just think about what if the worst happened. Make sure the secret questions are set; you have a strong password and enable “two step verification” if it’s available.
I was interested by Apple Insiders article http://appleinsider.com/articles/14/09/02/apple-says-icloud-is-safe-and-secure-stolen-celebrity-pics-were-targeted. It’s a good article and I like Apples response and their quick investigation but this statement:
“Apple says iCloud is safe and secure, stolen celebrity pics were targeted accounts”
It may just be me, but isn’t the above statement the equivalent of going we won’t guarantee any security if the people trying to gain access actually care about getting in? Now I’ve been around long enough to know that accessing someone’s account is always simply down to time. It’s the service providers’ responsibility to make the amount of time it would take disproportionate to the gain of getting access. This is why the longer the password the more secure your account is because:
- Hackers gain access by trying the top 15ish passwords on the list and give up (sometimes!)
- By using large numbers of letters, numbers, symbols etc you increase the time it takes to brute force you way in.
For instance if it’s an eight letter password these are the number of combinations depending on the type of password you choose.
208,827,064,576 All letters
53,459,728,531,456 All letters upper case and lower case
218,340,105,584,896 All letters upper case and lower case plus numbers
So for Apple to say:
“celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet”
It begs the question why are you allowing weak passwords and security questions. When you know as well as I do it’s the most common attacks. Why don’t these systems (not just Apple) detect any password or security question on the top X of known weak passwords and tell the users to change them. The concern is that if the passwords were secure and high strength then how did the hacker gain access. If Apples system allows brute force password attacks it is a worry because no matter how strong your password is you are in danger. The fact they use security questions when most major security groups have said they should be abandoned due to their inherent insecurity.
I guess what they are saying is nobody gained access to the Apple network and storage but that doesn't really absolve them of all blame. If you’re worried about your security on Apple's site this is their security page http://support.apple.com/kb/ht4232
Anyway that’s enough about Apple; the other things I’ve been watching is that several (entrepreneurial?) guys have been setting up websites that let you download the images. The sites are covered with adverts to generate money for the owners. The quote above about 500k+ views gives you an idea of the money these guys must be making from online advertising. I just find that fascinating don’t you? It shows quick thinking on their part, I guess some would say it’s pretty exploitative but you can’t help but be impressed by their smarts. Not to mention the speed you can setup domains and hosting in this day and age.
I’ve also been enjoying the various legal entities for these celebrities fighting the huddled and tired masses. You have to say why bother? Now you’re probably thinking that’s pretty harsh, but the fact of the matter is they might as well trying computing the last digit of π or condense all the rain in the sky into a giant rain drop. The music and video industries have been trying since forever to prevent people from downloading pirated files and you know what? They aren’t any closer today to achieving that goal than the day they started; they might have well have spent all the money they invested in anti piracy on sending all their staff to Hawaii.
The moment those files became publicly accessible they were pulled down to individual PCs, shared on a vast number of file sharing sites most of which nobody has ever heard of. Several free Dropbox accounts have been setup to make those files available publicly. Not to mention the power house that is torrent applications, the moment any content becomes available on a torrent its game over. They can try and prosecute individual nodes (i.e. people) on the torrent. But the fact is once something is available short of shutting down hundreds if not thousands of nodes they are never going to get ownership over that content again.
I’m not even going into the anonymous dark web here; the above is used by the majority of tech users and is reason enough to give up. They won’t though; they publicly need to be seen to reacting not to mention it’s a great way for the lawyers to get some cash together for the next Christmas party.
I guess when all is said and done, all you can do is agree with Kirsten Dunst and feel sorry for all involved…